From 145f29b4773e0c7d162dcb0116198604c05e5eac Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 30 Jun 2018 00:42:08 -0500 Subject: [PATCH] Improve version check - Add check for some Libreswan versions that are not available - Include Libreswan 3.25 in multiple IPsec/XAuth clients warning - Cleanup notes --- extras/vpnupgrade.sh | 40 ++++++++++++++++++++----------------- extras/vpnupgrade_centos.sh | 40 ++++++++++++++++++++----------------- 2 files changed, 44 insertions(+), 36 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 28a37ab..5537249 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,6 +47,12 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -89,11 +95,11 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ]; then +if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then cat <<'EOF' -WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth - VPN clients from behind the same NAT (e.g. home router). - Do not upgrade to 3.23 if your use cases include the above. +WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF fi @@ -103,14 +109,14 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: - auth=esp + auth=esp with the following: - phase2=esp + phase2=esp Replace this line: - forceencaps=yes + forceencaps=yes with the following: - encapsulation=yes + encapsulation=yes Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, @@ -203,12 +209,11 @@ echo case "$SWAN_VER" in 3.2[3-9]) cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" Then run "service ipsec restart". EOF @@ -217,12 +222,11 @@ esac if [ "$is_downgrade_to_322" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit - "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 Then run "service ipsec restart". EOF diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 81e3ace..e1726e6 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -38,6 +38,12 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -80,11 +86,11 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ]; then +if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then cat <<'EOF' -WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth - VPN clients from behind the same NAT (e.g. home router). - Do not upgrade to 3.23 if your use cases include the above. +WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF fi @@ -94,14 +100,14 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: - auth=esp + auth=esp with the following: - phase2=esp + phase2=esp Replace this line: - forceencaps=yes + forceencaps=yes with the following: - encapsulation=yes + encapsulation=yes Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, @@ -204,12 +210,11 @@ echo case "$SWAN_VER" in 3.2[3-9]) cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" Then run "service ipsec restart". EOF @@ -218,12 +223,11 @@ esac if [ "$is_downgrade_to_322" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit - "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 Then run "service ipsec restart". EOF